This artifact is used to create the profile to the environnements Debian / Ubuntu.
name: Linux.Volatility.Create.Profile
author: URCA (Corentin Garcia / Emmanuel Mesnard)
description: |
This artifact is used to create the profile to the environnements Debian / Ubuntu.
required_permissions:
- EXECVE
tools:
- name: Volatility
url: https://github.com/volatilityfoundation/volatility/archive/master.zip
parameters:
- name: Zipname
type: string
default: Ubuntu
precondition: SELECT OS From info() where OS = 'linux'
sources:
- queries:
- LET dirtmp = tempdir(remove_last=true)
LET vola = SELECT * FROM execve(argv=['bash', '-c', 'mv /tmp/master.zip /tmp/volatility-master.zip ; cd /tmp/ ; apt install -y dwarfdump zip unzip ; unzip -o /tmp/volatility-master.zip -d /tmp/ ; cd /tmp/volatility-master/tools/linux/ ; make clean ; make ; zip /tmp/' + Zipname + '.zip /tmp/volatility-master/tools/linux/module.dwarf /boot/System.map-$(uname -r)'])
SELECT * FROM foreach(
row={
SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="Volatility")
},
query={
SELECT * FROM chain(
a={SELECT *, if(condition=Complete, then=upload(file="/tmp/" + Zipname + ".zip", name=Zipname + ".zip")) As Upload FROM vola},
b={SELECT * FROM execve(argv=['bash', '-c', 'mv /tmp/volatility-master /tmp/volatility-master.zip /tmp/' + Zipname + '.zip ' + dirtmp])})
})